b'SECURITY OF THE FEDERAL RAILROAD\n  COMPUTER SYSTEMS NETWORK\n\n       Federal Railroad Administration\n\n\n        Report Number: FI-2006-029\n        Date Issued: January 9, 2006\n\x0c           U.S. Department of\n                                                                     Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Report on Audit of Security                                                    Date:    January 9, 2006\n           of the Federal Railroad Computer Systems Network\n           FI-2006-029\n  From:    Theodore P. Alves                                                                  Reply to\n                                                                                              Attn. of:    JA-20\n           Principal Assistant Inspector General for\n            Auditing and Evaluation\n    To:    Federal Railroad Administrator\n\n\n           This report presents the results of our audit of the security of the network\n           infrastructure at the Federal Railroad Administration (FRA). FRA relies on this\n           network infrastructure 1 and the information stored in its computers to conduct its\n           safety inspection mission and other critical functions, such as analyzing rail\n           economics, identifying rail defense issues, and routing hazardous materials.\n           Securing FRA\xe2\x80\x99s network infrastructure is critical to both the Department of\n           Transportation (DOT) and FRA missions because FRA is one of the Department\xe2\x80\x99s\n           five Operating Administrations (OAs) that have direct connections to the Internet.\n           Each OA is responsible for securing its own Internet connection.\n\n           In 1996 FRA moved out of the DOT Headquarters building due to environmental\n           issues. It subsequently established its own network connections to the Internet to\n           support its Washington and regional office operations. The Agency uses firewall 2\n           and virtual private network (VPN) 3 technologies to secure these connection points.\n           FRA has also established remote dial-up (telephone line) connections to support\n           hundreds of inspectors who travel across the country performing railroad safety\n           inspections, such as examining railroad tracks. Through these telephone lines,\n           inspectors, who include 180 state inspectors, access information stored in the FRA\n\n           1\n               A network infrastructure consists of a set of hardware and software used to interconnect computers and users,\n               regardless of their physical locations.\n           2\n               A firewall is a network device located at an Internet entry point. It serves as the first line of defense against cyber\n               attacks from the Internet and prevents unauthorized access to an agency\xe2\x80\x99s private networks.\n           3\n               The virtual private network (VPN) technology provides remote users with secure access to an organization\xe2\x80\x99s network\n               on a public or shared telecommunications infrastructure such as the Internet.\n\x0c                                                                                  2\n\n\nsafety database and submit their inspection results, including proposed penalties\nfor safety violations.\n\nOver the past 4 years, the Office of Inspector General has conducted a series of\ncomputer security reviews at DOT Headquarters and field offices of several OAs.\nThese reviews have revealed many network security weaknesses that could cause\ndisruptions to not only individual OAs but also to the rest of the Department\nbecause of DOT\xe2\x80\x99s interconnected networks (see the Figure).\n\n\n                Figure. DOT\xe2\x80\x99s Interconnected Networks\n\n                                           Internet\n\n\n\n\n                        FRA Firewall/VPN              DOT Firewall/VPN\n\n\n\n\n                             FRA                           DOT\n                            Network                       Network\n\n\n\n\nThe objective of this audit was to determine whether FRA\xe2\x80\x99s network infrastructure\nis adequately secured to support both DOT and FRA missions. Specifically, we\nsought to determine whether FRA\xe2\x80\x99s (1) network computers are properly\nconfigured and monitored to reduce the risk of attack, (2) Internet entry points are\nadequately protected to prevent cyber attack, and (3) remote network entry points\nused by employees and state inspectors are properly secured to prevent\nunauthorized access.\n\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards as prescribed by the Comptroller General of the\nUnited States and performed such tests as we considered necessary to detect fraud,\nwaste, and abuse. Details of our scope and methodology are discussed in\nExhibit A.\n\x0c                                                                                                                      3\n\n\nRESULTS IN BRIEF\nOverall, the FRA network was vulnerable to unauthorized access and attack from\nboth inside and outside the Department. For example, during the audit, our staff\nwas able to gain unauthorized access to FRA\xe2\x80\x99s individual computers from the\nInternet and obtained sensitive information 4 from these computers. In addition,\nwe were able to take control of a network switch managed by FRA, and the main\ntelephone switch maintained by the Office of the Secretary of Transportation\n(OST) for FRA. We could have changed the configuration in these switches to\nshut down a portion of the network or telecommunications service and cause\nserious disruption so that safety inspectors could not perform their work. To\nillustrate this concern, we changed the emergency contact telephone number in the\ntelephone switch to one in the Office of Inspector General. This activity was not\ndetected because FRA had not fully implemented an intrusion-detection\nmonitoring capability.\n\nGiven its interconnectivity with other DOT networks, FRA\xe2\x80\x99s lack of security also\nput other departmental systems at risk. This was caused by a combination of lax\nmanagement oversight, the absence of formal security policies and procedures, 5\nand the absence of a full-time security official to oversee and enforce systems\nsecurity. 6 Now that an official with responsibility for information systems\nsecurity oversight is in place, it is critical that FRA assign a high priority to\nenhancing the network security it has lacked but clearly needs.\n\nWe are providing specific recommendations to better protect computers on the\nnetwork, enhance the capability of detecting security breaches, increase personnel\nsecurity, and strengthen management oversight. FRA management agreed with\nour recommendations and has started taking corrective actions.\n\nThe following summarizes what we found.\n\nThe FRA network was vulnerable to unauthorized attack from both inside\nand outside the Department. Computers on the FRA network had many\nvulnerabilities, some of which had been previously reported to FRA management\nbut remained uncorrected. Our independent assessment revealed additional\ncritical weaknesses not previously identified. These enabled us to gain\nunauthorized access to FRA computers from the Internet, including root-level\naccess over a critical file server, desktop computers, and a network switch. From\n\n4\n    For security reasons, specifics concerning the weaknesses and vulnerabilities we identified and our audit procedures\n    are not discussed in this report but were provided to FRA managers during the audit.\n5\n    FRA currently has draft security policies and procedures going through the final stages of formal coordination with\n    FRA offices.\n6\n    The FRA Information System Security Officer (ISSO) position was vacant from June 2004 through April 2005,\n    2 months after we began this review in February 2005. During that time, the Director of the Office of Information\n    Technology was the Acting ISSO.\n\x0c                                                                                  4\n\n\nthese computers we obtained sensitive information. FRA management is taking\naggressive actions to eliminate all high-risk vulnerabilities.\n\nAbout 65 percent of FRA employees connect remotely to FRA\xe2\x80\x99s network, which\nsupports FRA\xe2\x80\x99s safety mission efficiently since its inspectors have to perform\nrailroad safety inspections, such as examining railroad tracks, throughout the\ncountry. However, this high percentage of remote users creates a challenge for\nFRA\xe2\x80\x99s network security. About half of all FRA computers are not subject to\nroutine vulnerability checks because they are being used by employees remotely\nthe majority of the year. These unchecked computers, if infected with hostile\nsoftware, could become conduits for spreading problems to the rest of FRA and\nother DOT networks.\n\nAnother security concern is that FRA granted 180 state inspectors access to its\nnetwork without checking with state agencies to determine whether these\npersonnel had received proper background investigations.             While such\ninvestigations provide no guarantee of a person\xe2\x80\x99s loyalty or trustworthiness, they\ndo provide some valuable information that might keep some personnel who pose a\nrisk to DOT security from working on DOT systems.\n\nFRA\xe2\x80\x99s Internet connections were not adequately secured. To secure a\ncomputer network, management needs to not only patch or eliminate\nvulnerabilities in computers but also install additional tools, commonly known as\nintrusion-detection systems, to monitor traffic throughout the network for potential\nsecurity breaches. This detection control is especially critical to networks with\ndirect connections to the Internet because of relentless attacks by hackers\nworldwide. FRA procured an intrusion-detection system in September 2002 and\ncertified that this control had been implemented in September 2003. However, we\nfound that FRA did not start deploying this control until June 2005, after we made\ninquiries about it. FRA explained that this critical investment was idle for so long\nbecause of the lack of technical expertise by the existing contractor personnel.\nFRA management has committed to fully deploying this essential control.\n\nWhile FRA\xe2\x80\x99s reliance on firewall security and VPN technology to control access\nto its private network from the Internet focused on the right technologies, these\ntools were not properly managed. First, FRA did not remove a former firewall\nadministrator\xe2\x80\x99s (a contractor) root-level access privileges to the firewall software\nfor 6 months. Second, FRA forgot to remove the VPN connection to another\ncontractor\xe2\x80\x99s office after the contractor had completed the task. As a result, FRA\nleft open two paths through which unauthorized individuals could gain access into\nits private network from the Internet. Both security vulnerabilities were corrected\nafter we brought them to FRA management\xe2\x80\x99s attention. To prevent the recurrence\nof such problems, FRA needs to develop a firewall security policy detailing\n\x0c                                                                                 5\n\n\ncriteria for granting access from the Internet and requiring periodic evaluation of\nthe firewall and VPN configuration by the Information System Security Officer.\n\nFRA network was vulnerable to unauthorized remote access. In addition to\nusing VPN connections, FRA employees and state inspectors can also access the\nFRA network via dial-up modem connections. FRA has established a central\nmodem pool to control such access with mandatory user authentication. However,\nit also allowed use of more than 50 separate dial-up lines outside of central modem\npool control. FRA could not provide justification for or locate most of these dial-\nup lines. Through an unsecured line, we were able to dial into FRA\xe2\x80\x99s main\ntelephone switch and successfully change its configuration. This vulnerability\ncould cause serious disruption to FRA\xe2\x80\x99s telecommunications operations. FRA\ntook immediate action working with OST to secure the telephone switch after we\nbrought this issue to management\xe2\x80\x99s attention.\n\nAnother form of remote access that has gained significant popularity in recent\nyears is wireless technology. This technology can be used to transmit data to and\nfrom remote locations. Since wireless connections bypass traditional security\nmechanisms on wired networks, such as firewalls or VPNs, they have to be\nmonitored carefully. FRA did not allow the use of this technology within its\nnetwork infrastructure at the time of our audit; nevertheless we found an active\nwireless entry point within FRA Headquarters. This entry point was not\nconnected to the FRA network and, therefore, did not impose a direct threat.\nHowever, we were concerned that FRA management did not know about this entry\npoint. The access point was removed after we brought it to FRA\xe2\x80\x99s attention. The\nlack of oversight of these remote connections was partially due to turnover of key\nsecurity staff.\n\n\nFINDINGS\n\nFRA Computer Network Was Vulnerable\nComputers on the FRA network had many vulnerabilities, which had been known\nfor months, if not years. Our independent assessment revealed additional critical\nweaknesses that were not previously identified. Together, these weaknesses\nenabled our audit staff to gain unauthorized access to individual FRA computers\nfrom the Internet and take control of part of its network infrastructure.\n\nWe also identified two other concerns. First, about half of all FRA computers are\nnot subject to routine vulnerability checks because they are used by employees\nremotely. These unchecked computers, if infected with hostile software, could\nbecome conduits for spreading problems to the rest of FRA and DOT networks.\n\x0c                                                                                                                   6\n\n\nSecond, FRA granted 180 state inspectors access to its network but did not verify\nwith state agencies whether these inspectors had received proper background\ninvestigations.\n\n\nKnown Security Vulnerabilities Not Corrected\nUsing commercial scanning software, we performed a vulnerability assessment of\nthe FRA network and found over 2,400 high-risk, 1,000 medium-risk, and\n15,800 low-risk security vulnerabilities 7 on 448 computers hosted at FRA\nHeadquarters and regional offices. Some of these vulnerabilities are well known\nin the hacker community, such as blank passwords, using the default\nmanufacturer\xe2\x80\x99s passwords, or weak passwords. We gained total control (root-level\naccess) of a critical file server, desktop computers, and a network switch. We\nobtained sensitive business information and could have made unauthorized\nconfiguration changes to these computers, including installing malicious software.\n\n\xe2\x80\xa2 Critical file server. This server allowed us to obtain critical network\n  infrastructure information. By using this information, we were able to gain\n  unauthorized access to FRA computers directly from the Internet.\n\xe2\x80\xa2 Desktop computers used by FRA employees.                                     These computers yielded\n  sensitive safety and personnel information.\n\xe2\x80\xa2 A network switch (a computer networking device that connects network\n  segments). By taking control of this switch, we were in a position to\n  reconfigure the FRA network\xe2\x80\x94including shutting down a portion of it.\n\nSome of these vulnerabilities had been known to FRA for months, if not years.\nThe DOT Transportation Cyber Incident Response Center (TCIRC) has been\nproviding weekly vulnerability scans of FRA private networks since 2003. For\nexample, a high-risk vulnerability we found was identified by TCIRC weekly\nscans in January 2005. In fact, this same vulnerability was also identified in the\nFRA systems security certification and accreditation document dated June 2003.\n\nFRA\xe2\x80\x99s inaction in correcting these known vulnerabilities was caused by the lack of\noperating procedures and management oversight of contractor performance.\nAccording to FRA officials, it relied on a contractor to review and correct these\nvulnerabilities. The contractor started working with FRA in November 2004 but\nhad left by June 2005. The turnover of key contractor personnel caused delays in\ncorrective actions.\n\n\n7\n     High-risk vulnerabilities may provide an attacker with immediate access into a computer system, such as allowing\n    execution of remote commands. Medium-risk and low-risk vulnerabilities may provide an attacker with useful\n    information, such as password files, that they can then use to compromise a computer system.\n\x0c                                                                                 7\n\n\nWhile our independent assessment found vulnerabilities similar to those identified\nby TCIRC, we also found additional significant weaknesses. For example, we\nidentified other types of weak passwords associated with root-level user accounts,\nwhile TCIRC scans did not. FRA should work with TCIRC to expand its weekly\nscans.\n\nFRA management is acting to eliminate all high-risk vulnerabilities and is\ndeveloping a timetable for correcting those that remain.\n\n\nHundreds of FRA Computers Not Checked for Vulnerabilities\nWe identified a disparity in the number of FRA computers that were being\nscanned by TCIRC and the total number of computers on the network. We\nreviewed the TCIRC scanning results on six occasions during January and\nFebruary 2005. During these scans, the number of FRA computers varied. The\naverage number of FRA computers identified during each scan was less than 500,\nas shown in the following table. Yet FRA has more than 1,000 computers.\nTherefore, about half of all FRA computers were not subject to routine network\nsecurity checks by TCIRC.\n\n\n                     Table. TCIRC Scanning Results\n                  Date Scanned          No. of Computers Scanned\n                     2/16/05                      550\n                     2/09/05                      545\n                     1/31/05                      371\n                     1/26/05                      565\n                     1/17/05                      323\n                     1/07/05                      380\n                 Average per scan                 456\n\nFRA\xe2\x80\x99s high percentage of remote users explains the discrepancy. About\n65 percent of FRA employees are remote users. Many safety inspectors connect to\nFRA\xe2\x80\x99s network remotely the majority of the year because they have to perform\nrailroad safety inspections, such as examining railroad tracks, throughout the\ncountry. They use laptops to submit their inspection reports to the safety database\nhosted on the FRA network. When off the network, these computers cannot be\nreached during the scans. These laptops, if infected with hostile software such as\n\x0c                                                                                                                       8\n\n\nviruses, spyware, or Trojan horses, 8 could become conduits for spreading\nproblems to the rest of the FRA network and other DOT networks. Currently,\nFRA has no procedure in place to ensure that these computers are being\nadequately secured and patched to prevent cyber attack.\n\n\nNo Assurance of Background Checks on Hundreds of State Inspectors\nFRA did not inquire with state agencies as to whether the 180 state inspectors\ngiven access to the FRA network had received proper background checks. This\nwas allowed to occur because of a lack of proper management oversight. These\nstate inspectors were given access to a sensitive safety database on the FRA\nnetwork. Some of these inspectors also have active accounts in the FRA e-mail\nsystem. According to DOT policy, non-DOT personnel\xe2\x80\x94contractors, industry\nassociates, or other Government employees\xe2\x80\x94are subject to the same background\ncheck requirement as DOT employees before they are allowed to access DOT\nsystems. FRA should immediately contact cognizant state agencies for this\ninformation and remove the access privileges of those without proper background\nchecks.\n\n\nInternet Entry Points Were Not Adequately Secured\nFRA did not start implementing the intrusion-detection system that it procured in\nSeptember 2002 until June 2005. Installing this security is especially critical to\norganizations with direct connections to the Internet because of relentless attacks\nby hackers worldwide. Annually, FRA invests about 50 percent of its total IT\nbudget in its IT infrastructure. FRA explained that this critical investment was\nidle for so long because contractor personnel lacked technical expertise.\n\nFRA relies on firewall security and a VPN to secure its Internet connection points.\nHowever, we found two incidents in which these technologies were not properly\nmanaged. First, FRA did not remove a former firewall administrator\xe2\x80\x99s (a\ncontractor) root-level access privileges to the firewall software for 6 months.\nSecond, FRA forgot to remove the VPN connection to another contractor\xe2\x80\x99s office\nafter the contractor had completed the task. Both security incidents were corrected\nafter we brought them to FRA management\xe2\x80\x99s attention.\n\n\n\n8\n    Viruses, spyware, and Trojan horses are software programs capable of replicating themselves and causing substantial\n    damage to a computer. A virus is a program that infects computer files, usually executable programs, by inserting a\n    copy of itself into the file. There copies are usually executed when the infected file is loaded into memory, allowing\n    the virus to infect other files. Unlike a computer worm, a virus requires human involvement (usually unwitting) to\n    propagate. Spyware refers to software that monitors user activity without user knowledge or consent. A Trojan horse\n    is a computer program that conceals harmful code; it usually masquerades as a useful program that a user would\n    want to execute.\n\x0c                                                                                     9\n\n\nIntrusion-Detection System Not Implemented in a Timely Manner\nIntrusion detection is the process of detecting unauthorized use of or attack on a\ncomputer or network. Intrusion-detection systems are software or hardware\nsystems that detect such misuse. The National Institute of Standards and\nTechnology recommends deploying such systems as necessary additions to an\norganization\xe2\x80\x99s security infrastructure. This security is particularly important to\norganizations with direct connections to the Internet because of constant hacking\nattacks.\n\nFRA has spent about $500,000 to acquire and maintain a suite of security\nsoftware, including an intrusion-detection system (IDS), since September 2002.\nThe certification and accreditation document for the FRA network, certified in\nSeptember 2003, stated that \xe2\x80\x9ca network-based IDS is in place and is currently\nmonitoring the network for attacks and Internet abuse by internal users.\xe2\x80\x9d\nHowever, we found that the implementation of the intrusion-detection system had\nnot begun until June 2005, after we inquired about it. FRA management explained\nthis critical investment was idle for so long because contractor personnel lacked\ntechnical expertise. FRA has committed to fully deploying the intrusion-detection\nsystem promptly.\n\nUntil the intrusion-detection system is fully deployed, FRA cannot effectively\nprotect its computers in today\xe2\x80\x99s volatile network environment. Other DOT OAs\nthat have installed intrusion-detection systems have reported hundreds or\nthousands of potential security breaches daily.\n\n\nFirewall Security and VPN Connections Not Properly Managed\nWe found a security weakness in FRA\xe2\x80\x99s firewall configuration. A former firewall\nadministrator (a contractor) still had root-level access to the firewall software after\nhaving transferred to another position 6 months previously. With this access, the\nformer administrator could continue modifying the firewall configuration,\nincluding opening additional unauthorized pathways to get into the FRA network\nfrom the Internet.\n\nUse of VPN technology has become increasingly popular in recent years because\nit provides secure connections on public networks, such as the Internet, which is\nmore economical than private networks. Because 65 percent of FRA employees\nremotely connect to its network, FRA has begun allowing its employees,\ncontractors, and state inspectors to access its private network from the Internet\nusing VPN technology. The number of VPN users at FRA more than doubled\nduring our audit. The VPN connection to a contractor\xe2\x80\x99s office was not properly\nmanaged.\n\x0c                                                                                  10\n\n\n\xe2\x80\xa2 About a year ago, FRA authorized a contractor to establish a VPN connection\n  to the FRA network for a specific task. However, FRA did not remove this\n  connection after the contractor had completed the task. As a result, people\n  working in that contractor\xe2\x80\x99s office could continue accessing the FRA network\n  on the Internet.\n\n\xe2\x80\xa2 FRA did not obtain security assurance from this contractor that the contractor\xe2\x80\x99s\n  network was configured to meet DOT security requirements and that only\n  authorized personnel could use the connection to access the FRA network.\n  The Department requires OAs to obtain such security assurances from outside\n  parties before allowing them to be connected to DOT.\n\nBoth access paths were removed after we brought the issues to FRA\nmanagement\xe2\x80\x99s attention. These incidents happened because FRA has not\ndeveloped a firewall security policy and did not have a procedure with which to\nperiodically evaluate the firewall and VPN configuration. DOT requires that each\nOA develop a firewall policy and use it as a baseline for configuring its firewall so\nthat only legitimate network traffic can enter the protected networks. In addition,\na designated Information System Security Officer (ISSO) should periodically\nreview and approve all access and configuration changes made to the firewall and\nVPN. However, FRA did not have a full-time ISSO until April 2005. With the\nnew security officer on board, FRA should assign a high priority to enhancing its\nnetwork security.\n\n\nFRA Network Vulnerable to Unauthorized Remote Access\nIn addition to using VPN connections, FRA employees and state inspectors can\naccess the FRA network via dial-up modem connections. Beyond its central\nmodem pool, FRA allowed people to use more than 50 separate dial-up lines. Use\nof these dial-up lines was neither justified nor secured, in most cases. We also\nfound an active wireless entry point at FRA Headquarters. While this entry point\nwas not connected to the FRA network and did not impose a direct threat, we were\nconcerned that FRA management did not know about its existence.\n\n\nDial-Up Connections Were Not Justified or Secured\nFRA provided us with a list of 57 dial-up numbers that were authorized for use to\nmake connections to the network. However, FRA could neither explain what\nthese individual dial-up lines were intended for, nor justify why employees were\nallowed to use these telephone line connections, bypassing central modem pool\ncontrols.\n\x0c                                                                               11\n\n\nWe were able to determine that 2 of the 57 dial-up lines were reserved for testing\npurposes, and 1 was used for FRA Headquarters\xe2\x80\x99 main telephone switch\nmaintained by OST. However, the dial-up line to the telephone switch was not\nsecured. Anyone could use that telephone number to dial into the main telephone\nswitch.\n\nBy using the unsecured dial-up connection and the default user password, we were\nable to alter the configuration in the main telephone switch, including system\ndiagnostics, notification, and memory settings. For example, we changed the\nemergency contact telephone number to the main number of the Office of\nInspector General without being detected.\n\nBy using these combined weaknesses, hackers could disrupt FRA\ntelecommunications services, which could lead to major disruptions in business\noperations. FRA has taken action, working with OST, to secure the dial-up line to\nits telephone switch and has agreed to disable the remaining 54 dial-up lines.\n\n\nWireless Connection Found\nDOT requires that each wireless device that is used to process or store DOT data\nor that connects to a DOT network, must be approved for use by the designated\nofficial. According to FRA management, it neither used nor supported wireless\nconnections to its network at the time we conducted the audit. However, we found\nan active wireless access point at FRA Headquarters. Later, FRA management\ninformed us that the access point had been used to test wireless technology and\nshould have been disconnected after the test.\n\nWe confirmed that the wireless entry point was not connected to the FRA\nnetwork; therefore, it did not impose a direct threat to FRA. However, we were\nconcerned that FRA management was not aware of the existence of this wireless\naccess point, which could be easily connected to the FRA network and become an\nunsecured path. After we brought the issue to management\xe2\x80\x99s attention, the access\npoint was located and removed.\n\nThe lax management oversight of these remote connections was partially due to\nthe turnover of key security staff. FRA did not have a full-time Information\nSystem Security Officer until April 2005. Before that, the position was filled on\nan acting basis by someone with other primary responsibilities. With a full-time\nInformation System Security Officer, who should report periodically to FRA\xe2\x80\x99s\nChief Information Officer, FRA should assign a high priority to enhancing its\nnetwork security.\n\x0c                                                                                  12\n\n\nRECOMMENDATIONS\nWe recommend that the FRA Administrator direct the FRA Chief Information\nOfficer to:\n\nEnhance FRA network security by:\n\n   1. Eliminating all high-risk vulnerabilities identified in FRA computers within\n      30 days and establishing a timetable to correct the remaining\n      vulnerabilities.\n\n   2. Ensuring that timely actions are taken to correct vulnerabilities identified in\n      future weekly scanning reports.\n\n   3. Developing a mechanism to ensure that all computers used remotely are\n      periodically checked for vulnerabilities and patched with the latest security\n      upgrades.\n\n   4. Contacting state agencies to find out whether the 180 state inspectors given\n      access to the FRA network have received proper background checks and\n      establishing a target date to disable their access if the requested information\n      is not received.\n\nStrengthen security at Internet connection points by:\n\n   5. Fully deploying the intrusion-detection system to monitor traffic on the\n      FRA network promptly.\n\n   6. Developing a firewall policy commensurate with DOT security\n      requirements.\n\n   7. Establishing procedures to ensure periodic evaluation of firewall and VPN\n      configuration by the Information System Security Officer.\n\n   8. Requiring that security assurance be obtained from outside entities before\n      allowing them access to FRA\xe2\x80\x99s private networks through VPN connections.\n\nPrevent unauthorized remote access by\n\n   9. Disabling the remaining 54 dial-up connections to the FRA network.\n\n   10. Establishing procedures to periodically detect unauthorized wireless access\n       points on the FRA network infrastructure.\n\x0c                                                                                  13\n\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\nA draft of this report was provided to the Federal Railroad Administrator for\ncomments on October 27, 2005. FRA\xe2\x80\x99s Deputy Administrator responded on\nNovember 21, 2005, and concurred with all recommendations. For security\nreasons, we are not including FRA\xe2\x80\x99s written response in our report due to the\nspecificity of the agency\xe2\x80\x99s statements. However, its response is summarized\nbelow.\n\nThe actions taken and planned by FRA are generally reasonable. However, no\ntarget date was provided for recommendation 4 and management\xe2\x80\x99s response to\nrecommendation 9 indicates that FRA may not disable all 54 dial-up connections.\nIf FRA does not disable all of these connections, management should justify the\nneed to use them and ensure that they are adequately secured. Specific comments\nby FRA and its planned actions on our recommendations are provided below.\n\nRecommendation 1: FRA concurred. FRA has committed to eliminating the\noutstanding risks promptly.\n\nOIG Response: The action taken and planned by FRA meets the intent of our\nrecommendation.\n\nRecommendation 2: FRA concurred. FRA will institute written processes that\nwill ensure timely corrective actions to resolve identified vulnerabilities promptly.\n\nOIG Response: FRA\xe2\x80\x99s planned action meets the intent of our recommendation.\n\nRecommendation 3: FRA concurred. FRA will promptly develop a plan to\nensure that all computers used remotely are regularly checked for vulnerabilities\nand patched with the latest security upgrades.\n\nOIG Response: FRA\xe2\x80\x99s planned action meets the intent of our recommendation.\n\nRecommendation 4: FRA concurred with exploration of alternative solutions.\nFRA determined that out of the 30 participating programs, only 7 States perform\nany type of background check on inspectors. FRA proposes limiting the access of\nState program personnel who have not undergone some type of background check\nto Internet email only. These users will not have access to FRA\xe2\x80\x99s private network\nincluding safety inspection systems.\n\nOIG Response: FRA\xe2\x80\x99s planned action partially addresses our recommendation.\nThe response did not specify how many State inspectors have received proper\nbackground checks in accordance with DOT policies. Further, the response did\n\x0c                                                                              14\n\n\nnot provide a target date to disable State inspectors\xe2\x80\x99 access to FRA\xe2\x80\x99s private\nnetwork if evidence of proper background checks is not received.\n\n Recommendation 5:          FRA concurred.    FRA has committed to promptly\ndeploying the intrusion-detection system.\n\nOIG Response: FRA\xe2\x80\x99s planned action meets the intent of our recommendation.\n\nRecommendation 6:         FRA concurred. FRA indicated they developed and\ninstituted a firewall policy commensurate with DOT security requirements in\nNovember 2005.\n\nOIG Response: FRA\xe2\x80\x99s action meets the intent of our recommendation and will\nbe subject to a follow-up review.\n\nRecommendation 7: FRA concurred. FRA\xe2\x80\x99s Information System Security\nOfficer has committed to establishing procedures to ensure periodic evaluation of\nfirewall and VPN configuration by December 15, 2005.\n\nOIG Response: FRA\xe2\x80\x99s planned actions meet the intent of our recommendation.\n\nRecommendation 8: FRA concurred. In November 2005, the FRA Office of\nInformation Technology indicated they developed and instituted a formal VPN\nprocess, which requires users to sign a VPN end-user agreement prior to obtaining\nVPN access.\n\nOIG Response: FRA\xe2\x80\x99s action meets the intent of our recommendation.\n\nRecommendation 9: FRA concurred in part. FRA has committed to promptly\ndisconnecting any remaining unused dial-up connections.\n\nOIG Response: Based on conversation with FRA officials, they indicated that\nFRA may not disable all 54 dial-up connections. In that case, management should\njustify the need to retain the dial-up lines and ensure that they are adequately\nsecured.\n\nRecommendation 10: FRA concurred. FRA indicated they started conducting\nperiodic checks of unauthorized wireless access points in November 2005.\n\nOIG Response: FRA\xe2\x80\x99s planned action meets the intent of our recommendation\nand will be subject to follow-up review.\n\x0c                                                                             15\n\n\nACTIONS REQUIRED\nIn accordance with Department of Transportation Order 8000.1C, we request that\nFRA provide within 15 days, the number of inspectors without proper background\nchecks and a target date for disabling their access to FRA\xe2\x80\x99s private network\n(Recommendation 4). We also request that FRA provide information on the\nnumber of dial-up lines that are retained and secured (Recommendation 9).\n\nWe appreciate the courtesies and cooperation of FRA representatives during this\naudit. If you have any questions concerning this report, please call me at (202)\n366-1992 or Rebecca C. Leng, Assistant Inspector General for Information\nTechnology and Computer Security, at (202) 366-1488.\n\n\n\n\ncc: Chief Information Officer, DOT\n    Chief Information Officer, FRA\n    Martin Gertel, M-1\n    Victor Angelo, RAD-43\n\x0c                                                                                 16\n\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nWe reviewed the underlying network infrastructure supporting FRA missions,\nincluding Internet entry points, remote access connections, and the private\nnetwork. Specifically, we used commercial scanning software and other\ncommonly available scanning tools to identify network hardware (routers,\nfirewalls, concentrators, dial-up modems) and system software configuration\nvulnerabilities that allowed unauthorized access to the FRA network. We did this\nnetwork scanning from the internal networks at FRA Headquarters and a regional\noffice. We interviewed key network administration officials and reviewed FRA\nfirewall configuration files and security policies and procedures to ensure adequate\nenforcement.\n\nAdditionally, we assessed FRA wireless and VPN usage, two relatively new and\npopular technologies used by many Federal agencies. We used wireless scanning\nsoftware to identify the wireless access points and evaluated whether the security\nused to protect them was adequate. We also reviewed the VPN hardware and\nsoftware configuration to ensure that the settings adhered to current industry\nstandards and procedures. In addition, we performed limited penetration tests on\nVPN connections by exploiting identified vulnerabilities.\n\nOur audit work was performed between February and August 2005 at FRA\nHeadquarters in Washington, DC, and a regional office in Cambridge,\nMassachusetts. The audit was conducted in accordance with Generally Accepted\nGovernment Auditing Standards prescribed by the Comptroller General of the\nUnited States, and included such tests as we considered necessary to provide\nreasonable assurance of detecting waste, fraud, or abuse.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                         17\n\n\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\nName                                   Title\n\nRebecca C. Leng                        Assistant Inspector General for\n                                       Information Technology and\n                                       Computer Security\n\nEdward Densmore                        Program Director\n\nDr. Ping Z. Sun                        Project Manager\n\nJohn Johnson                           Senior Information Technology\n                                       Specialist\n\nAaron Nguyen                           Computer Scientist\n\nMichael P. Fruitman                    Communications Adviser\n\n\n\n\nExhibit B. Major Contributors to This Report\n\x0c'